CVE - CVE-2022-41678

CVE-ID
CVE-2022-41678	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection. And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20240216-0004/ MISC:https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt URL:https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt MISC:https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl URL:https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl MLIST:[oss-security] 20231128 CVE-2022-41678: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE URL:http://www.openwall.com/lists/oss-security/2023/11/28/1
Assigning CNA
Apache Software Foundation
Date Record Created
20220928	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220928)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)